FortiGuard Labs has a dedicated team of researchers that look for vulnerabilities and weaknesses in high-impacting programs and applications. The intent is to find the vulnerabilities before the bad actors, and work with the affected vendors to get an effective patch released before the vulnerability is exploited.

In December, the FortiGuard Labs research team discovered a vulnerability in QuartzCore of macOS and iOS. This week, Apple released two updates: macOS 10.14.3 and iOS 12.1.3, which include the fix for this vulnerability with the identifier CVE-2019-6231. The vulnerability could allow a malicious application to be able to allow access to restricted memory.

QuartzCore, also known as CoreAnimation, is a framework used by macOS and iOS to create animatable screen graphics. It uses a unique rendering model where the graphics operations are run in a separate process. The process is WindowServer. On iOS, the process is backboardd. Both of these processes have the right to call setuid.

The serivce named com.apple.CARenderServer in QuartzCore is usually referenced as CARenderServer. This service exists in both macOS and iOS, and can be accessed from the Safari sandbox. There also exists an integer overflow when QuartzCcore handles image objects in the function CA::Render::Image::Decode().

You can get the full details of our analysis on the blog, where we deep dive into the macOS vulnerability [Read More]. Apple spells out more details around their two updates here

Anatova Ranswomare - A new multi-module ransomware has been discovered. Anatova is being reported across the globe, with most detections in the United States, followed by Belgium, Germany, France and the United Kingdom. The malware authors typically use an icon for a game or application as a decoy to entice users to download it.

Anatova, when launched, asks for admin privileges, runs a few checks and then encrypts files on the computer. It then demands 10 DASH coins ($700 value). The ransomware's multi-module feature extends its capabilities to cause further villainous activities, at a later time, potentially becoming an 'all-in-one' tool. Anatova reportedly contains an anti-analysis routine by embedding a memory cleaning procedure that appears to activate under certain conditions. One interesting tactic is checking the username of the logged-in user, if it matches a specific list, then a cleaning process is employed and the ransomware exits. Interestingly, the ransomware also encrypts using some tricks - encrypting most of the strings and using different keys for decrypting them, and relying on dynamic calls. Each victim needs a separate and specific key to unlock the encrypted files. Additionally, to eliminate file recovery opportunities, the ransomware destroys the volume shadow copies overwriting them ten times ensuring no backup local files is possible.

Due to Anatova's obfuscation capabilities and the ability to infect network shares, there is concern that this could be a potentially serious threat. Note that while we have seen ransomware threats trending down in overall numbers of late, this type of threat is still poses a consequential problem and should be taken seriously. For more details: [Read More]

Drupal.Core.database.inc.expandArguments.SQL.Injection -- Drupal is an open-source content-management platform written in PHP and distributed under the GNU General Public License. The standard release of Drupal, Drupal Core, contains features common among content management systems. In 2014, an SQL injection vulnerability was discovered in Drupal Core. The vulnerability is due to insufficient validation of user-supplied data when expanding argument values used in SQL queries.

A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted parameter to a Drupal Core server. Successful exploitation could lead to arbitrary code execution under the security context of the server. This issue lies in the "expandArguments" function found in the database abstraction API in Drupal Core versions 7.x. Prior to version 7.32, this function did not properly construct prepared statements.

Malicious.JavaScript.Obfuscation.Code.Packer.Detection -- This signature helps us gauge the prevalence of popular obfuscation techniques generally used when delivering malicious JavaScript payloads. The signature attempts to detect the most common evasion tactics used to conceal mal-intended JavaScript scripts.

Certain evasion methodologies are constantly being used by threat actors to try to bypass conventional signature matching and outdated AV technology. Important functions being used by these threats include the unescape(), reverse(), and toString() functions. The order in which they appear is also significant and hence analyzed by the signature. We have observed a significant increase of events triggered across our devices related to this specific IPS signature on a daily basis, which suggests this is a popular method by attackers.

Signatures: Malicious.JavaScript.Obfuscation.Code.Packer.Detection

Malware Activity

Rank

Name

Prevalence

1

Android/Agent.FJ!tr

5,536

2

W32/Agent.AJFK!tr

5,254

3

MSOffice/CVE_2017_11882.A!exploit

4,154

4

MSWord/Agent.MY!exploit

3,948

5

Adware/Agent

3,576

A 'Rocke'-y and Cloudy Start to 2019 -- FortiGuard Labs is aware of recent activity from a malware family coined the Rocke Group that actively targets cloud products. This week, researchers released research on the cryptojacking activity that bypassed cloud security products by simply uninstalling them. The malware targets cloud workload protection platforms (CWPPs). Specifically, the products that appeared to be targeted in this attack were well known Chinese-based cloud security solutions. The malware targets Linux-based servers. It is believed that the Iron cyber-crime group, an APT believed to be of Chinese origin, is behind these attacks.

The steps taken by the malware will ultimately lead to the execution of a Monero cryptocurrency miner on the infected system. To do so, the malware will execute known exploits to attempt to get admin-level access on the machine. This will allow the malware to perform a service uninstall. Thus, the malware will attempt to uninstall various cloud security services popular in China. With the security service uninstalled, the malware will then proceed to download a payload from a server and run it. The malware may also make several attempts to ensure it is the only process in the system to mine for cryptocurrency by killing other processes and blocking other similar cryptomining malware.

Although the steps taken by this malware appear straightforward, incidences like these will only become more prevalent over time as more and more services move to the cloud. In conclusion, it is important to continue to focus on robust cloud security solutions and mitigate these challenges posed to cloud security products.

Magecart Attacks: Ecommerce Advertising on the Line? -- FortiGuard Labs is aware of recent activity from the actors behind the recent round of Magecart attacks. Earlier this week, researchers documented yet another Magecart attack on multiple ecommerce websites through code injection into a third-party JavaScript library offered by an advertising company. It appears that the organization responsible for the library has since made the appropriate amends. However, prior to its detection, there were over 250 ecommerce websites documented to be affected.

Magecart is originally an open-source shopping cart. A compromised Magecart is an exploited version of the original that aims to steal payment information through skimming scripts. This most recent documented attack was suspected to be carried out by a new subgroup of Magecart actors dubbed Magecart Group 12. To avoid detection, an obfuscated malicious JavaScript script is injected into an ecommerce site. Then, upon detecting user payment, the malicious script will record form fields and values and encode them in Base64 before sending it to the server. The origin of this attack indicates a European target and/or source as the script attempts to identify English, French, and German keywords.

Web Filtering Activity

Controlling the Control Panel -- The FortiGuard Web Filter team is aware of a phishing campaign that bypasses email security measures via a file attachment with a .cpl extension. Earlier this week, researchers released information on this phishing campaign. The emails claim to be a message from the "Servicio de Impuestos Internos," the Internal Revenue Service of Chile, and appears to target a Spanish-speaking victim. Specifically, the campaign is seen to be targeting South American citizens. The use of these .cpl files as attachments has been seen with other phishing campaigns delivering known banking Trojans, like Banload.

The original functionality of a .cpl file is intended for usage of control panel tools on Windows operating systems. Once the .cpl file has been executed, it will download the second payload to execute an OverByte ICS Logger. Upon successful execution of this payload, this keylogger will attempt to log the victim's banking information and sends it to the C2 server.

The FortiGuard Web Filter team has blacklisted all the IPs and URLs associated with this phishing campaign.